Portable information storage medium and its authentication method

ABSTRACT

Authentification data (R) comprising random numbers generated by a reader/writer ( 200 ) is given to an IC card ( 100 ), encrypted by utilizing a secret key (a), and returned as encryption data (C). This encryption data (C) is decoded by utilizing an open key (β) to authentify the IC card. A set of past given authentification data (R) is stored in an authentification data storage section ( 130 ): if another set of given authentification data (R) is the same as the set of past data, an encryption operating section ( 150 ) is prevented from executing an illegal statistical analysis technique by repeatedly giving encrypting operation the same set of authentiification data (R).

TECHNICAL FIELD

The present invention relates to a portable information recording mediumand an authentication method for the same and, more specifically, anauthentication method for authenticating validity of an IC card whenaccessing the IC card from external equipment and an IC card which issuitable for such an authentication method.

BACKGROUND ART

A portable information recording medium typified by an IC card hasrapidly spread in conjunction with downsizing of technology, and it isonly a matter of time before IC cards become prevalent on an individualgeneral user basis one by one. Thus, as portable information recordingmedia such as IC cards have increasingly come to be used as a tool thatis essential in social life, security comes into important question. Toaccess an IC card, a so-called reader/writer device is used, and acomputer system carries out an exchange of data with the inside of theIC card via this reader/writer device. Normally, when an IC card isinserted into a reader/writer device, processing is executed forauthenticating each other.

Authentication of an IC card from a reader/writer device is normallymade according to a method in which arbitrary authentication data (usingrandom numbers) is provided from the reader/writer device to the IC cardtogether with an authentication command, and it is verified whether ornot the IC card makes a correct response. Concretely, a public keycryptosystem is used, and a secret key α is stored inside an authenticIC card in advance, authentication data (arbitrary random numbers)provided in the reader/writer device is encoded by using this secret keyα, and encoded data thus obtained is fed-back as a response. Then, thereader/writer device decodes this encoded data that has been fed-back asa response, and authenticates the IC card based on a judgment whether ornot data obtained through this decoding process agrees with the originalauthentication data.

The secret key α stored in the IC card is normally structured so as notto be externally read out by any method, so that it is very difficult toimitate an IC card having a correct secret key α. Therefore, accordingto the above-mentioned method, if data that is obtained by decoding theencoded data fed-back as a response agrees with the originalauthentication data, it is authenticated that an IC card is not fake.

As mentioned above, logically, a secret key a stored in an IC card isprevented from being externally read out by any method. However, inreality, there is a method for externally detecting a secret key αstored in an IC card in a nondestructive manner by analyzing physicalphenomena (for example, electric power consumption) in operation of theIC card. For example, a method called DPA (Differential Power Analysis)is based on a principle in which, by statistically analyzing a waveformof electric power consumption of an IC card, the contents of a secretkey α are estimated. Concretely, in a condition where a measuring systemfor measuring electric current consumption inside an IC card isconnected to a power supply terminal, etc., of the IC card,predetermined authentication data is repeatedly sent from areader/writer device, an encoding operation using a secret key α isexecuted inside the IC card, and a power consumption waveform at thispoint is analyzed, whereby the contents of the secret key α arestatistically detected.

An object of the present invention is, therefore, to provide anauthentication method for a portable information recording medium, bywhich reliable security against illegal analyzing methods as mentionedabove can be secured.

DISCLOSURE OF THE INVENTION

(1) The first feature of the present invention resides in anauthentication method for authenticating a portable informationrecording medium as valid when external equipment accesses the portableinformation recording medium, comprising:

an operation defining step for determining a first key α, a second keyβ, an encoding operation, and a decoding operation so that encoded dataC is obtained by executing the encoding operation using the first key αfor arbitrary authentication data R and data identical to theauthentication data R is obtained by executing the decoding operationusing the second key β;

a medium preparing step in which the first key α is stored in theportable information recording medium, and a processing function forexecuting the encoding operation is prepared for the portableinformation recording medium;

random number transmitting step in which the external equipmentgenerates a random number or numbers, and the random number or numbersare transmitted to the portable information recording medium asauthentication data R;

an authentication data storing step in which the transmittedauthentication data R is received and stored in a predetermined storinglocation inside the portable information recording medium;

a judging step in which it is investigated whether or not a newlytransmitted authentication data R agrees with previously storedauthentication data R in the portable information recording medium, andwhen it is determined that the newly transmitted authentication data Rdisagrees with any of the previously stored authentication data R, it isjudged that encoding is permitted;

an encoding step in which, when encoding is permitted in the judgingstep, the encoding operation using the first key α is executed for thetransmitted authentication data R, and resulted encoded data C isreturned to the external equipment;

a decoding step in which the decoding operation using the second key βis executed in the external equipment for the encoded data C that hasbeen returned from the portable information recording medium; and

an authenticating step in which, when data identical to theauthentication data R transmitted in the random number transmitting stepis obtained as a result of the decoding operation, the portableinformation recording medium is authenticated as valid.

(2) The second feature of the present invention resides in theauthentication method for authenticating a portable informationrecording medium according to the first feature, wherein:

prior to the authentication data storing step, the judging step iscarried out for the authentication data R that has been transmitted inthe random number transmitting step, and only when encoding is permittedin the judging step, the authentication data storing step is carriedout.

(3) The third feature of the present invention resides in theauthentication method for authenticating a portable informationrecording medium according to the first or second feature, wherein:

a plural number n of storing locations at which authentication data Rcan be stored are prepared in the portable information recording medium,and only the latest n pieces of authentication data R are stored in theauthentication data storing step.

(4) The fourth feature of the present invention resides in a portableinformation recording medium having a function for executing apredetermined encoding operation for authentication data R when theauthentication data R has been transmitted together with anauthentication command from external equipment and returning encodeddata C resulting from the encoding operation to the external equipmentas a response, comprising:

a command receiving part for receiving commands transmitted from theexternal equipment;

an authentication data storing part for storing the authentication dataR;

a secret key storing part for storing a secret key α to be used for theencoding operation;

a disagreement confirming part for confirming disagreement betweenauthentication data R that has been stored in the authentication datastoring part and newly received authentication data R when the commandreceiving part has received the newly received authentication data Rtogether with an authentication command;

an authentication data writing part for writing the newly receivedauthentication data R that the command receiving part has received intothe authentication data storing part;

an encoding operation part for obtaining encoded data C by executing anencoding operation for the newly received authentication data R by usingthe secret key α stored in the secret key storing part on condition thatdisagreement has been confirmed at the disagreement confirming part; and

a response transmitting part for transmitting a response including theencoded data C to the external equipment.

(5) The fifth feature of the present invention resides in the portableinformation recording medium according to the fourth feature, wherein:

writing of the newly received authentication data R is carried out atthe authentication data writing part on condition that disagreement hasbeen confirmed by the disagreement confirming part.

(6) The sixth feature of the present invention resides in the portableinformation recording medium according to the fourth or fifth feature,wherein:

a plural number n of storing locations are prepared in theauthentication data storing part so that a plural number n of pieces ofauthentication data R can be stored; and

the authentication data writing part executes processing for writingtarget authentication data R into respective storing locations, and whenall of the plural number n of storing locations are occupied, rewriteprocessing is applied to a storing location at which the oldestauthentication data R has been written.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing general procedures for authenticatinga portable information recording medium (IC card) 100 from externalequipment (reader/writer device) 200 in a condition where the IC card100 and the reader/writer device 200 are electrically connected to eachother upon inserting the IC card 100 into the reader/writer device 200;

FIG. 2 is a block diagram showing components of a portable informationrecording medium (IC card) 100 of the invention and external equipment(reader/writer device) 200 in a condition where the IC card 100 isconnected to the reader/writer device 200;

FIG. 3 illustrates diagrams showing a construction example of anauthentication data storing part 130 and a storage example ofauthentication data inside the portable information recording medium (ICcard) 100 shown in FIG. 2; and

FIG. 4 is a flowchart showing basic procedures of an authenticationmethod for a portable information recording medium relating to theinvention.

BEST MODE FOR CARRYING OUT THE INVENTION

Hereinafter, the present invention will be described with reference tothe accompanying drawings. First, with reference to the block diagram ofFIG. 1, the basic principle of an authentication method that has beenconventionally carried out in a general portable information recordingmedium (more specifically, an IC card) is described. In thisauthentication method, a public key cryptosystem using a paired keycomposed of a secret key and a public key is employed.

FIG. 1 is a block diagram showing general procedures for authenticatinga portable information recording medium (IC card) 100 from externalequipment (reader/writer device) 200 in a condition where the IC card100 and the reader/writer device 200 are electrically connected to eachother by inserting the IC card 100 into the reader/writer device 200. Inthis illustrated example, a first key α (secret key) is stored inadvance in the IC card 100, and a second key β (public key) is stored inadvance in the reader/writer device 200. Herein, the first key α is akey unique to a holder who holds this IC card 100, which is a secret keythat has not been made public. On the other hand, the second key β is akey that has been made public although the key is unique to the holder.Therefore, it is not necessary to always store the second key β in thereader/writer device 200, and the second key β may read from otherlocations (for example, a host computer) as necessary. The IC card 100is provided with a function for encoding arbitrary data by using thefirst key α, and the reader/writer device 200 is provided with afunction for decoding the encoded data by using the second key β.

Furthermore, the reader/writer device 200 is provided with a functionfor generating random numbers, and random numbers generated by thereader/writer device 200 are transmitted to the IC card 100 asauthentication data R together with an authentication command. The ICcard 100 executes an encoding operation for the authentication data Rthus transmitted by using the first key α, whereby encoded data C isgenerated. The encoded data C is uniquely determined based on theauthentication data R on condition that the first key α is used. The ICcard 100 returns the encoded data C thus obtained to the reader/writerdevice 200 as a response to the authentication command. Thereader/writer device 200 executes a decoding operation for the encodeddata C thus transmitted by using the second key β. If data obtained bythis decoding operation agrees with the original authentication data R,the IC card 100 is authenticated as valid.

Needless to say, it is necessary to specify the first key α, the secondkey β, an encoding operation, and a decoding operation in advance inorder to make such an authentication method available. Namely, it isnecessary to determine the first key α, the second key β, the encodingoperation, and the decoding operation in advance so that an encoded dataC is obtained by executing the encoding operation using the first key αfor an arbitrary authentication data R, and a data identical to theauthentication data R is obtained by executing the decoding operationusing the second key β for the decoded data C. In other words, the firstkey α and the second key β need to compose a paired key corresponding toa secret key and a public key in a public key cryptosystem, and anencoding operation to be executed at the IC card 100 and a decodingoperation to be executed at the reader/writer device 200 need tocorrespond to an encoding operation and a decoding operation in thispublic key cryptosystem.

Since random numbers are used for authentication data R to be generatedat the reader/writer device 200, the contents of authentication data tobe provided for the IC card 100 differs each time. Therefore, thecontents of the encoded data C that is returned from the IC card 100 asa response also differs each time. However, as long as the IC card 100executes a correct encoding operation by using a correct secret key α,by executing a correct decoding operation at the reader/writer device200 by using a correct public key β, decoded data agrees with theoriginal authentication data R. Therefore, regardless of numbers used inthe original authentication data R, authentication for the IC card 100is possible. Furthermore, logically, since the secret key α stored inthe IC card 100 is never externally read out, it appears that sufficientsecurity is secured.

However, in actuality, as aforementioned, a method for statisticallyanalyzing electric current consumption of an IC card is used, it becomespossible to externally detect the contents of the secret key α stored inthe IC card 100. For example, when authentication data R of “11111111”is repeatedly provided for the IC card 100 and a waveform of electriccurrent consumption at this point inside the IC card 100 is repeatedlymeasured, a certain pattern is statistically obtained. Likewise, whenauthentication data R of “00000000” is repeatedly provided for the ICcard 100 and a waveform of electric current consumption inside the ICcard 100 at this point is repeatedly measured by an electric measuringmethod, a certain pattern is also statistically obtained. By analyzingsuch a pattern, the contents of the secret key α stored inside can beestimated by analogy.

In order to nullify such an illegal analyzing method, according to theinvention, an encoding operation inside the IC card 100 is rejected whenidentical authentication data R is repeatedly provided for the IC card100. For example, in the above-mentioned example, on the assumption thatauthentication data R of “11111111” is provided in a firstauthentication command, an encoding operation using the secret key α isexecuted in response to this first authentication command, and encodeddata C thus obtained is returned as a response, and if identicalauthentication data R of “11111111” is provided in the second andfollowing authentication commands, the authentication commands arerejected, and an encoding operation using the secret key α is notexecuted. Of course, a normal response cannot also be obtained.

With such a mechanism, since it becomes impossible to repeatedly executean encoding operation using identical authentication data R, it becomesdifficult to analyze the waveform of electric current consumptionaccording to a statistical method.

In order to achieve this object, an IC card 100 may be constructed asshown in the block diagram of FIG. 2. This block diagram of FIG. 2 showsa condition where an IC card 100 (portable information recording medium)relating to the invention is connected to a conventional generalreader/writer device 200 (external equipment). As shown in the figure,the IC card 100 relating to the present embodiment comprises commandreceiving part 110, authentication data writing part 120, authenticationdata storing part 130, disagreement confirming part 140, encodingoperation part 150, secret key storing part 160, and responsetransmitting part 170. On the other hand, the reader/writer device 200comprises command transmitting part 210, authentication data generatingpart 220, response receiving part 230, decoding operation part 240,public key storing part 250, and authenticating part 260. Of course,those shown in FIG. 2 are only components that are necessary forexecuting authentication processing of the invention, so that an actualIC card and an actual reader/writer device are provided with othercomponents for executing their original functions as an IC card and areader/writer device.

The reader/writer device 200 shown in FIG. 2 is a conventional generalreader/writer device. Namely, a conventional reader writer device can beused as it is for carrying out the invention. The authentication datagenerating part 220 is, in actuality, means for generating randomnumbers, and random numbers generated herein are provided for the ICcard 100 as authentication data R. That is, the authentication data Rgenerated as random numbers is transmitted from the command transmittingpart 210 to the command receiving part 110 together with anauthentication command. The IC card 100 is a portable informationrecording medium having a function for applying a predetermined encodingoperation to authentication data R when the authentication data R hasbeen transmitted together with an authentication command as mentionedabove and for returning encoded data C that results from the encodingoperation as a response, wherein encoded data C as a response istransmitted from the response transmitting part 170 to the responsereceiving part 230.

The reader/writer device 200 applies a decoding operation to the encodeddata C that has been thus returned. That is, by using the public key βstored in the public key storing part 250, a decoding operation isexecuted for the encoded data C at the decoding operation part 240.Decoded data that results from this operation is compared at theauthenticating part 260 with the original authentication data Rgenerated by the authentication data generating part 220, and when theyagree with each other, the IC card 100 is authenticated as valid in thesame manner as aforementioned.

On the other hand, processing of an encoding operation to be executed atthe IC card 100 is also basically the same as aforementioned. That is,authentication data R received in the command receiving part 110 isprovided for the encoding operation part 150 and encoded. The secret keystoring part 160 stores a secret key α. The encoding operation part 150reads-out the secret key α from this key storing part 160, and executesan encoding operation for the authentication data R and executesprocessing for determining encoded data C by using this secret key α.Determined encoded data C is transmitted as a response from the responsetransmitting part 170.

However, when the encoding operation part 150 executes this encodingoperation, permission of the disagreement confirming part 140 isrequired. In other words, even if authentication data R is provided forthe command receiving part 110, unless a signal indicating permissionfor an encoding operation of this authentication data R is provided fromthe disagreement confirming part 140, the encoding operation part 150does not execute an encoding operation. The disagreement confirming part140 judges whether or not the authentication data R newly provided forthe command receiving part 110 agrees with previously providedauthentication data R, and only in the case of disagreement, a signalindicating permission for an encoding operation is provided for theencoding operation part 150. For such a judgment at the disagreementconfirming part 140, it is necessary to accumulate and storeauthentication data that has been provided heretofore. Such accumulationprocessing is executed by the authentication data writing part 120 andthe authentication data storing part 130. The authentication datastoring part 130 has storage locations for accumulating and storing aplurality of pieces of authentication data R that have been providedheretofore, and the authentication data writing part 120 executesprocessing for successively writing authentication data R that thecommand receiving part 110 has received into the authentication datastoring part 130.

Of course, when this IC card 100 is initially used, authentication dataR has not been accumulated in the authentication data storing part 130,however, each time authentication data R is transmitted together with anauthentication command from the command transmitting part 210, theauthentication data R is written into the authentication data storingpart 130 by the authentication data writing part 120. When the commandreceiving part 110 has received authentication data R together with anauthentication command, the disagreement confirming part 140 confirmsdisagreement between the authentication data R that has or have beenstored in the authentication data storing part 130 and newly receivedauthentication data R, and provides a signal indicating permission foran encoding operation for the encoding operation part 150. The encodingoperation part 150 executes an operation for obtaining encoded data C byexecuting an encoding operation for the newly received authenticationdata R by use of the secret key α that has been stored in the secret keystoring part 160 on condition that disagreement has been confirmed atthis disagreement confirming part 140.

In this embodiment, the authentication data writing part 120 writesnewly received authentication data R on condition that disagreementconfirming part 140 has confirmed disagreement of the newly receivedauthentication data R. Namely, when the command receiving part 110 hasreceived new authentication data R together with an authenticationcommand, first, the disagreement confirming part 140 executes processingfor confirming disagreement, and only when disagreement has beenconfirmed, the authentication data writing part 120 writes thisauthentication data R into the authentication data storing part 130. Onthe contrary, when agreement has been confirmed at the disagreementconfirming part 140, the authentication data writing part 120 does notwrite this authentication data R. Such an operation is useful foreliminating redundancy from data inside the authentication data storingpart 130. Namely, data identical to that which has already been storedin the authentication data storing part 130 is prevented from beingwritten again.

In practical use, the memory capacity of the IC card 100 is finite and,of course, the storage capacity of the authentication data storing part130 is also finite. Therefore, when the IC card 100 is used for a longperiod of time, repeatedly inserted into a reader/writer device andrepeatedly authenticated, the free space inside the authentication datastoring part 130 is gradually reduced, and finally, all of the space isoccupied by written authentication data R. In such a case, processingmay be executed by which only the latest authentication data R is leftinside the authentication data storing part 130, and other data isrewritten in order from the oldest data. For example, in a case where aplural number n of storing locations at which authentication data R canbe stored have been prepared inside the authentication data storing part130, only the last n pieces of authentication data R may be stored.Namely, until the free space is completely occupied, processing forsuccessively writing target authentication data R into the respectivestoring locations is executed, and after all of the plural number n ofstoring locations are completely occupied, rewrite processing may beapplied to a storing location at which the oldest authentication data Rhas been written.

FIG. 3 illustrates diagrams showing an example of such rewriteprocessing. First, as shown in diagram (a), in a case where a pluralnumber n of pieces of authentication data shown by storing locationnumbers 1 through 3 have been prepared, when three pieces ofauthentication data R(1), R(2), and R(3) are provided in order, thesepieces of data are written into the storing location numbers 1, 2, and 3in order as shown in the figure. Herein, the last written location canbe shown by a pointer P. Subsequently, for example, when newauthentication data R(4) has been provided, the data is written into thestoring location number 4 next to the last written location shown by thepointer P, and the pointer P is updated. The diagram (b) shows acondition where all of the n pieces of authentication data R(1) throughR(n) have been written after writing is thus carried out in order. Inthis condition, when next authentication data R(n+1) has been provided,as shown in diagram (c), the oldest authentication data R(1) at theposition of the storing location number 1 may be rewritten. The diagram(d) shows a writing condition when new pieces of authentication dataR(n+2) and R(n+3) have been further provided. By executing such rewriteprocessing, the latest n pieces of authentication data are alwaysaccumulated and stored.

FIG. 4 is a flowchart showing procedures of an authentication method fora portable information recording medium relating to the invention. Ofcourse, when carrying out the procedures shown in FIG. 4, it isnecessary in advance to prepare a portable information recording medium(IC card 100) that has a function for executing a predetermined encodingoperation by using the secret key α, and it is also necessary in advanceto prepare external equipment (reader/writer device 200) to access thisrecording medium.

When the IC card 100 is inserted into the reader/writer device 200,first, in step S1, authentication data R (random numbers) is generatedat the reader/writer device 200, and in the next step S2, thisauthentication data R is transmitted to the IC card 100. In actuality,as mentioned above, the authentication data R is transmitted to the ICcard 100 together with an authentication command. After the IC card 100receives this authentication data R in step S3, in the next step S4,agreement of this data with past n pieces of authentication data R isjudged (of course, if the number of pieces of authentication dataaccumulated in the authentication data storing part 130 has not reachedn yet, agreement with authentication data R that has been accumulated upto this point of time may be made).

Herein, when disagreement of the new data with any of the authenticationdata R that has been accumulated is judged, the process proceeds fromstep S5 to step S6, and processing for writing this newly receivedauthentication data R into the authentication data storing part 130 isexecuted. Thus, previous to authentication data writing processing ofstep S6, agreement judgment of step S4 is carried out, and only in thecase where disagreement is judged, writing processing of step S6 isexecuted. This is, as mentioned above, in order to prevent redundancy ofauthentication data R accumulated in the authentication data storingpart 130 (in order to avoid overlapped writing of identical data). Next,in step S7, an encoding operation using the secret key α is executed forthis authentication data R, and encoded data C obtained by thisoperation is transmitted as a response in step S8.

The reader/writer device 200 receives this encoded data C transmitted asa response in step S9, and executes a decoding operation using a publickey β for this encoded data C in step S10. Then, in step S11, agreementbetween a decoded data that has been obtained as a result of thisdecoding operation and the original authentication data R (randomnumbers generated in step S1) is judged. When they agree with eachother, the process proceeds from step S12 to step S13 and theauthentication results in success. On the other hand, when they do notagree with each other, the process proceeds from step S12 to S14 and theauthentication results in failure.

On the other hand, as a result of agreement judgment made at the IC card100 in step S4, when agreement with any of the pieces of authenticationdata R that has accumulated in the authentication data storing part 130has been judged, the process proceeds from step S5 to step S15, and anerror signal is transmitted to the reader/writer device 200 as aresponse. In this case, the reader/writer device 200 receives an errorsignal as a response in step S16, and therefore, executes predeterminederror processing in the next step S17.

By carrying out authentication for the IC card 100 according to theseprocedures, only when it is judged in step S4 that newly providedauthentication data R disagree with the past n pieces of authenticationdata R, an encoding operation is executed in step S7. Therefore, itbecomes possible to nullify execution of an illegal analyzing method inwhich identical authentication data R is repeatedly provided for the ICcard 100, and electric power consumption at this point is repeatedlymeasured, and the secret key α is statistically estimated.

The present invention has been described based on the illustratedembodiment as in the above, however, the invention is not limited tothis embodiment, and the invention can be carried out in various othermodes. For example, in the above-mentioned embodiment, an example inwhich authentication for IC card is carried out via a reader/writerdevice has been described, however, the present invention can be widelyapplied to cases where authentication for general portable informationrecording media is carried out from external equipment.

As described above, according to the authentication method for portableinformation recording media relating to the present invention,sufficient security can be secured against illegal analyzing methods.

INDUSTRIAL APPLICABILITY

The present invention provides a new method for authenticating aportable information recording medium when external equipment accessesthe portable information recording medium such as an IC card. Therefore,the invention can be widely applied in fields using various portableinformation media. The invention is optimally used for a commercialtransaction IC card for which sufficient security against illegalanalyzing methods is demanded.

1. An authentication method for authenticating a portable informationrecording medium (100) as valid when external equipment (200) accessessaid portable information recording medium, comprising: an operationdefining step for determining a first key (α), a second key (β), anencoding operation, and a decoding operation so that encoded data (C) isobtained by executing said encoding operation using said first key (α)for arbitrary authentication data (R) and data identical to saidauthentication data (R) is obtained by executing said decoding operationusing said second key (β); a medium preparing step in which said firstkey (α) is stored in the portable information recording medium (100),and a processing function for executing said encoding operation isprepared for the portable information recording medium; a random numbertransmitting step (S1 and S2) in which said external equipment (200)generates a random number or numbers, and said random number or numbersare transmitted to the portable information recording medium (100) asauthentication data (R); an authentication data storing step (S6) inwhich said transmitted authentication data (R) is received and stored ina predetermined storing location (130) inside the portable informationrecording medium (100), wherein a plural number n of storing locations(130) at which authentication data (R) can be stored are prepared in theportable information recording medium (100), and only latest n pieces ofauthentication data (R) are stored in the authentication data storingstep (S6), and applying rewrite processing to a storing location atwhich an oldest authentication data (R) has been written; a judging step(S4 and S5) in which it is investigated whether or not a newlytransmitted authentication data (R) agrees with previously storedauthentication data (R) in the portable information recording medium(100), and only when it is determined that the newly transmittedauthentication data (R) disagrees with any of the previously storedauthentication data (R), it is judged that encoding is permitted; anencoding step (S7 and S8) in which, only when encoding is permitted insaid judging step, the encoding operation using the first key (α) isexecuted for the transmitted authentication data (R), and resultedencoded data (C) is returned to the external equipment (200); a decodingstep (S9 and S10) in which the decoding operation using the second key(β) is executed in the external equipment (200) for the encoded data (C)that has been returned from the portable information recording medium(100); and an authenticating step (S11 through S14) in which, when dataidentical to the authentication data (R) transmitted in said randomnumber transmitting step is obtained as a result of said decodingoperation, the portable information recording medium (100) isauthenticated as valid.
 2. The authentication method according to claim1, wherein: prior to the authentication data storing step (S6), thejudging step (S4) is carried out for the authentication data (R) thathas been transmitted in the random number transmitting step (S1 and S2),and only when encoding is permitted in the judging step, theauthentication data storing step (S6) is carried out.
 3. A portableinformation recording medium having a function for executing apredetermined encoding operation for authentication data (R) when theauthentication data (R) has been transmitted together with anauthentication command from external equipment and returning encodeddata (C) resulting from the encoding operation to the external equipmentas a response, comprising: a command receiving part (110) receivingcommands transmitted from said external equipment (200); anauthentication data storing part (130) storing said authentication data(R) wherein a plural number n of storing locations are prepared in theauthentication data storing Part (130) so that a plural number n ofpieces of authentication data (R) can be stored; a secret key storingpart (160) storing a secret key (α) to be used for said encodingoperation; a disagreement confirming part (140) confirming disagreementbetween authentication data (R) that has been stored in saidauthentication data storing part and newly received authentication data(R) when the command receiving part (110) has received said newlyreceived authentication data (R) together with an authenticationcommand; an authentication data writing part (120) writing said newlyreceived authentication data (R) that the command receiving part (110)has received into said authentication data storing part (130), whereinthe authentication data writing part (120) executes processing forwriting target authentication data (R) into respective storinglocations, and when all of the plural number n of storing locations areoccupied, rewrite processing is applied to a storing location at whichan oldest authentication data (R) has been written; an encodingoperation part (150) obtaining encoded data (C) by executing an encodingoperation for said newly received authentication data (R) by using thesecret key (α) stored in the secret key storing part (160) only oncondition that disagreement has been confirmed at the disagreementconfirming part (140); and a response transmitting part (170)transmitting a response including said encoded data (C) to the externalequipment (200).
 4. The portable information recording medium accordingto claim 3, wherein: writing of the newly received authentication data(R) is carried out at the authentication data writing part (120) oncondition that disagreement has been confirmed by the disagreementconfirming part (140).
 5. The authentication method according to claim2, wherein: a plural number n of storing locations (130) at whichauthentication data (R) can be stored are prepared in the portableinformation recording medium (100), and only latest n pieces ofauthentication data (R) are stored in the authentication data storingstep (S6).
 6. The portable information recording medium according toclaim 4, wherein: a plural number n of storing locations are prepared inthe authentication data storing part (130) so that a plural number n ofpieces of authentication data (R) can be stored; and the authenticationdata writing part (120) executes processing for writing targetauthentication data (R) into respective storing locations, and when allof the plural number n of storing locations are occupied, rewriteprocessing is applied to a storing location at which an oldestauthentication data (R) has been written.